Date: Fri, 18 Aug 2006 09:46:29 +1000 (EST) From: Mark Andrews <Mark_Andrews@isc.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/102205: login failure: ssh + gssapi + dual stacks + packet loss Message-ID: <200608172346.k7HNkTwa034630@drugs.dv.isc.org> Resent-Message-ID: <200608172350.k7HNoEL6071636@freefall.freebsd.org>
index | next in thread | raw e-mail
>Number: 102205 >Category: bin >Synopsis: login failure: ssh + gssapi + dual stacks + packet loss >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Aug 17 23:50:14 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Mark Andrews >Release: FreeBSD 6.1-STABLE i386 >Organization: ISC >Environment: System: FreeBSD drugs.dv.isc.org 6.1-STABLE FreeBSD 6.1-STABLE #8: Tue Jul 11 14:48:05 EST 2006 marka@drugs.dv.isc.org:/usr/obj/usr/src/sys/DRUGS i386 >Description: ssh client, ssh server and kdc are dual stack. If, when talking to the kdc, you loose the reply packet ssh will attempt to send the same packet to the kdc using the alternate transport. This results in a reply attack being reported and the login failing. 09:27:04.370657 2001:470:1f00:820:208:74ff:fe9f:eeae.1798 > 2001:4f8:3:bb::4.88: [flowlabel 0x670b8] 09:27:05.378122 192.168.191.251.3785 > 204.152.187.4.88: 09:27:05.551681 204.152.187.4.88 > 192.168.191.251.3785: >How-To-Repeat: Configure a dual stack kdc and configure a firewall to block the replies from the kdc over IPv6. Attempt to login using gssapi. >Fix: >Release-Note: >Audit-Trail: >Unformatted:home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608172346.k7HNkTwa034630>